-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathunlock-gpg.sh
More file actions
executable file
·71 lines (55 loc) · 2.24 KB
/
unlock-gpg.sh
File metadata and controls
executable file
·71 lines (55 loc) · 2.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env bash
# script=$(curl -fsS "https://raw.githubusercontent.com/softvisio/scripts/main/unlock-gpg.sh")
# bash <(echo "$script") $GPG_KEY_ID
# bash <(echo "$script") $GPG_KEY_ID get-passphrase
set -Eeuo pipefail
trap 'echo -e "⚠ Error ($0:$LINENO): $(sed -n "${LINENO}p" "$0" 2> /dev/null | grep -oE "\S.*\S|\S" || true)" >&2; return 3 2> /dev/null || exit 3' ERR
github_username=zdm
gpg_keys=$(
cat << JSON
{
"dzagashev@gmail.com": "U2FsdGVkX1+hSMAl+SljhhnDHE7EXcIjHgypuflLrs9y37YDXqCM9ioN/1B7lYC0",
"deb@softvisio.net": "U2FsdGVkX19XqIKSfUEzXHvgXUluWEF8DiCrBt1gH63pPy2XRfiTmvyhl4YTlM6TJ60olmj1BL9HTQBRXd1Vag==",
"deployment@softvisio.net": "U2FsdGVkX18O+Mz2vYH1tSTc/DPk/zX4VPsy0pwjjJjoezyvwYXJRzmHoEocOk7mNWibXM3o3q/Ii5X5F4LfAg=="
}
JSON
)
gpg_key_id=${1:-}
action=${2:-}
function _decrypt_passphrase() {
encrypted_passphrase=$1
# decrypt gpg passphrase
local script
script=$(curl -fsS "https://raw.githubusercontent.com/softvisio/scripts/main/ssh-crypt.sh")
passphrase=$(echo "$encrypted_passphrase" | bash <(echo "$script") decrypt "$github_username")
echo -n "$passphrase"
}
function _precache_passphrase() {
local key_id=$1
local decrypted_passphrase=$2
# precache passphrase for key and sub-keys
keys=$(gpg --list-secret-keys --with-keygrip "$key_id" 2> /dev/null || true)
if [[ -z $keys ]]; then
return
fi
keygrips=$(echo "$keys" | awk '/Keygrip/ { print $3 }')
for keygrip in $keygrips; do
echo "$decrypted_passphrase" | /usr/lib/gnupg/gpg-preset-passphrase --preset $keygrip
done
}
if [[ -z $gpg_key_id ]]; then
for key_id in $(jq -r "keys | reverse[]" <<< "$gpg_keys"); do
key_id=$(echo "$key_id")
encrypted_passphrase=$(jq -r ".\"$key_id\"" <<< "$gpg_keys")
decrypted_passphrase=$(_decrypt_passphrase $encrypted_passphrase)
_precache_passphrase "$key_id" "$decrypted_passphrase"
done
else
encrypted_passphrase=$(jq -r ".\"$(echo $gpg_key_id)\"" <<< "$gpg_keys")
decrypted_passphrase=$(_decrypt_passphrase $encrypted_passphrase)
if [[ "$action" == "get-passphrase" ]]; then
echo -n "$decrypted_passphrase"
else
_precache_passphrase "$gpg_key_id" "$decrypted_passphrase"
fi
fi